detection.wiki

Detection rules › Sigma

Suspicious Greedy Compression Using Rar.EXE

Severity
high
Author
X__Junior (Nextron Systems), Florian Roth (Nextron Systems)
Source
upstream

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: 1 of selection_opt_1

or:
Description: 'Command line RAR'
Image|endswith: '\rar.exe'

Stage 2: 1 of selection_opt_2

or:
CommandLine|contains: ' a -m'
CommandLine|contains: '.exe a '

Stage 3: all of selection_cli_flags

CommandLine|contains: ' -hp'
CommandLine|contains: ' -r '

Stage 4: all of selection_cli_folders

or:
CommandLine|contains: ' %public%'
CommandLine|contains: ' ?:\$Recycle.bin\'
CommandLine|contains: ' ?:\PerfLogs\'
CommandLine|contains: ' ?:\Temp'
CommandLine|contains: ' ?:\Users\Public\'
CommandLine|contains: ' ?:\Windows\'
CommandLine|contains: ' ?:\\\*.'
CommandLine|contains: ' ?:\\\\\*.'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • %public%
  • -hp corpus 3 (sigma 3)
  • -r corpus 2 (sigma 2)
  • ?:\$Recycle.bin\
  • ?:\PerfLogs\
  • ?:\Temp
  • ?:\Users\Public\
  • ?:\Windows\
  • ?:\\\*.
  • ?:\\\\\*.
  • a -m
  • .exe a
Descriptioneq
  • Command line RAR corpus 3 (sigma 3)
Imageends_with
  • \rar.exe corpus 4 (sigma 4)